Anti-Virus Advisories: Rating Them

L. Taylor - June 8, 2000

Event Summary:
A Visual Basic worm, known as the “ILOVEYOU” worm, reached epidemic proportions when it infected millions of desktops worldwide. Typically when a new virus or worm comes out, commercial ant

i-virus vendors issue an advisory, and an anti-virus downloadable virus killer that eliminates the virus or worm. The downloadable virus killer might be called an update, pattern, or definition. The advisory explains the scope and details of the virus, n

oting which files, directories, and registry keys are affected, and how the available downloadable anti-virus pattern, update, or tool fixes the problems at hand.
Viruses and worms are not exactly the same, but for the purposes of this article, we will use the word “virus” interchangeably since the products for controlling these destructive pieces of code are known as Anti-virus Products even th

ough they are used to eradicate worms as well.

Market Impact
The advisory itself is part of what you pay for when you purchase an anti-virus product. What constitutes a good advisory? A good advisory will list the threat level, and explain how the vi

rus works, how it infects your system, and how it spreads to other systems. The threat level should be an indication of how rampant the virus is, as well as the danger level of destruction the virus does. More obscure viruses should have a lower threat l

evel.
Often times, after a virus circulates widely, variants of the virus start propagating as copycat virus writers start making changes to the original virus. Sometimes even variants of the variants are created. It is important for an advi

sory site to include listings of all possible variants. An anti-virus site without a listing of virus variants is missing important key information.
The table below looks at the anti-virus vendors, and rates their ILOVEYOU worm advisories for usability. In rating them, the following criteria were taken into consideration:
C Clarity of the virus explanation: 1 point for an explanation, plus 1 more point for an in-depth explanation.
V The number of variants listed: 1 point for some(1-4) variants listed, plus 1 more point for many variants listed.
P A listing of the platforms affected: 1 point for platforms listed, plus 1 more point for versions listed.
S Speed of the website: 2 points for a fast website. 1 points for an acceptable speed website. 0 for slow.
T Threat level listed: 1 point for threat level listed, 1 point for additional information on the threat level.
I Visual images: 1 point for any visuals, plus 1 point for visuals explaining the propagation and relationship of files.
F Files affected: 1 point for listing some files, plus 1 more point for listing all files.
U Explanation of how the anti-virus update works: 1 point for explanation, plus 1 more point for quality.
One or two points was assigned for each of the criteria that were met, and the anti-virus products were subsequently ranked. The link columns contains a hyperlink to the actual advisory site that we used for the analysis.

Company

Product

C

V

P

S

T

I

F

U

Points

Rank

Alladin

eSafe

2

2

0

1

0

0

2

2

9

3rd

CA

Inoculan

2

1

0

1

0

1

2

1

8

4th

Content Technologies

Mimesweeper

0

0

0

2

0

0

1

0

3

8th

F-Secure

F-Prot

2

2

0

2

0

1

2

2

11

2nd

Finjan

SurfinGuard

1

0

0

2

2

0

1

1

7

5th

NAI

McAfee

1

1

0

0

2

0

1

1

6

6th

NAI

Dr. Solomon’s

1

1

0

0

2

0

1

1

6

6th

NAI

Virex

-

-

-

-

-

-

-

-

-

-

Nemx

Anti Virus

0

1

0

0

0

0

1

0

2

9th

Norman

VirusControl

2

2

1

1

0

0

2

1

9

3rd

Proland

ProtectorPlus

1

1

2

2

0

0

1

0

7

5th

Sophos

Antivirus

1

2

0

1

0

2

0

1

7

5th

Sybari

Antigen

1

0

0

2

0

0

1

0

4

7th

Symantec

Norton

2

2

0

2

2

0

2

2

12

1st

Trend Micro

Interscan

1

2

0

1

1

0

1

1

7

5th

Advisory Winners
The current anti-virus advisory leaders are clearly Symantec and F-Secure, with Alladin and Norman close behind. While it’s no surprise to see Symantec and F-Secure take the lead, Israel ba

sed Alladin and Norway based Norman anti-virus advisories surprisingly rated better than any of the Network Associates or Trend Micro advisories. In an April 2000 test of anti-virus products, Virus Bulletin found that both of these products achieved 100%

detection on “in the wild” viruses.
Cupertino based Symantec, showing a resiliency to the currently volatile market, is clearly out in front as far as understanding their market niche. With approximately 25% market share, and a lot of competition, it already has other an

ti-virus vendors nipping at its heels in the race for dominance of the global $1.2billion market.
The Finland based F-Secure site contained the best explanation (complete with screenshots) on how to uninstall Windows Scripting Hosting, which is what allows Visual Basic Scripting (VBS) programs to run. Once Windows
Scripting Hosting is disabled, VBS programs cannot run, even if they exist on the system. You won’t actually be getting rid of the virus or worm by disabling Windows Scripting Hosting, but you will prevent it from doing any further damage.

With three out of four of the anti-virus leaders headquartered outside the United States, it is clear that the anti-virus vendors are thriving overseas. The many institutions of higher learning overseas that have advanced programs in c

omputer science, security engineering, and cryptography have been a breeding ground for new security technologists including anti-virus applications.

Advisory Challengers
CA, NAI, Proland, Sophos, Sybari, and Trend Micro anti-virus products are all credible and respectable products, and with not that much work, their advisories can all be improved.
The Network Associates site was incredibly slow, and it wasn’t clear what the difference was between the McAfee antivirus tool and Dr. Solomon’s. The same advisory was issued for each product. If there is no difference in how these two

antivirus tools work, why is Network Associates supporting both tools? After all, Network Associates purchased Dr. Solomon’s back in 1998. By now they should have integrated the products and their customer base to keep operating expenses in check. If Network Associates hopes to rekindle its flame, integrating these two anti-virus tools should be on their “to do” list. Network Associates did provide the most definitive risk assessment criteri

a. As well, Network Associates appeared to be the only place to get a Mac anti-virus tool, though Macs were not affected by the ILOVEYOU worm. Network Associates may be a market leader, but it clearly needs to tidy up its virus engineering and developmen

t efforts if it expects to keep its market share.
Interestingly, there is a global presence in the mid-level anti-virus products as well with India based Proland and Australia based Sophos, both reporting respectable showings.
In the same April 2000 anti-virus test given by Virus Bulletin for “in the wild” viruses, F-Secure, Norton, and Sophos also detected 100% of the virus test suite and won a VB100% award. On the other hand, CA Inoculate IT, NAI VirusScan

, and Norman Virus Control all failed to detect 100% of the viruses used in the test.

Advisory Losers
The current anti-virus advisory losers are Nemx and Content Technologies. If these companies want to play in the anti-virus big leagues, they’re going to have to put a little more effort in

to the advisory part of their product.
Content Technologies and Nemx did not have an advisory of any sort on their sites, though they did claim their anti-virus products removed the ILOVEYOU worm. The lack of an advisory does not mean their products don’t work, but if they
do work, we’d like to know how.

Market Predictions
We expect this market to grow at a rate of 300% for the next 3-5 years. With a current minimum global market of $1.2billion, this means that there is a lot of market share out there for ant

i-virus vendors. Anti-virus software is already being integrated into firewalls and other web based secure server products. As these markets grow and the high circulation of viruses continues, these market segments will explode. There will be plenty of m

arket share out there for multiple vendors, and as the customer bases of the smaller anti-virus companies grow, we expect to see on-going market consolidation.
Today’s viruses are much more prank oriented than destruction oriented. More often than not, they are an annoyance, and not nearly as destructive as they could be. As anti-virus products become more sophisticated, expect virus writers
to become increasingly more clever and more destructive. With proficient coding skills and an unhealthy psychological state, a virus writer can wreck global havoc. Any competitive business, small or large, should have a virus management program.

Vendor Recommendations
By this time next year, we hope at least one of these products has an accompanying advisory that scores 100% in all categories. To survive in this very competitive market, anti-virus leader

s will need to make sure their product is enterprise capable, and has an advisory that if fully explained and documented. Though some users may not read the advisories, any enterprise customer will have some users interested in knowing what is happening
on their hard drive - especially the person or department held responsible for managing viruses.

User Recommendations
Using a downloadable anti-virus update, without an informative advisory to go with it, is risky. If a vendor cannot show you that they understand how the virus propagates, and how the anti-

virus update works, their downloadable may not be up to snuff.
Further, at least one person in every organization should be held accountable for virus management, and that person, if not any other, needs to have an advisory to read to understand how the anti-virus tool, update, or pattern works.